PassiveDNSsniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without losing the essense in the DNS answer.

Example Using PassiveDNS

Typical usages:
1) Search for domain or IP history when working on an incident.
2) Say you have an indication of malicious C&C traffic going to an IP on port 80. The domain used by the alleged malware is supposed to be cc.twittertoday.com. Searching you Flowdata, reveals lots of clients talking to that IP, and you might think that the whole company is p0wned. A quick search in your PassiveDNS DB shows you that the IP in question is also hosting 300 + websites and you might even spot a website hosted on that IP that you are familiar with and that you know lots of people in the company would legit visit daily. Searching your PassiveDNS DB gives you no hits for the domain in question, hopefully meaning that you dont have that malware talking to that domain in your network.

3) You know that *.twittertoday.com are often used in malware and the subdomains change randomly. Many have rules for such domains in their IDS/IPS, sucking up unnecessary juice from the systems. Having a script pre-loaded with a list of regexp of domains and subdomains to watch for and giving you an alert when they hit will give you much better detection on threat based on domains.

You can also do a whois for all new top domains seen, correlate the whois info with a list of know bad info, such as the name of the person or company that has registered the domain, telephone/fax numbers, address and so on, ending up with a score that might be high enough for triggering an alert to you 🙂